Privacy policy

Data we process

Final Whistle stores only data needed to operate and secure the service.

• League names, emoji, language, capacity, and settings.
• Participant nicknames, selected flags, language preferences, and predictions.
• Hashed recovery credentials and HTTP-only session identifiers.
• HMAC-hashed IP-derived abuse-prevention identifiers, technical logs, and administrative audit events.

Why we process it

The data is used to create and administer leagues, authenticate participants, enforce prediction locks, calculate scores, prevent abuse, investigate failures, and preserve an audit trail.

Cookies and browser storage

Participant and administrator sessions use secure, HTTP-only cookies. JavaScript cannot read their values.

Final Whistle does not store session tokens, admin tokens, or recovery codes in local storage. One-time credentials must be saved by the user when shown.

Private links and visibility

League links are not indexed, but anyone who receives a valid invite link can reach that league’s public join screen. Locked predictions and league rankings are shared according to the game rules.

Analytics and third parties

Final Whistle does not use analytics tracking in v1. Hosting and backup infrastructure process service data only as needed to run and protect the application.

Retention and deletion

League data is scheduled for permanent deletion 24 months after tournament completion. Operational logs retain personal or security identifiers for no more than 30 days.

Backups are retained for at most 30 days, so deleted league data ages out of backup copies during that period.

Contact

Privacy questions and requests can be sent to [email protected]. A request may require enough information to identify the relevant private league and participant safely.